From the
‘
Open Source Blogging
‘
files:
WordPress users: RUN don’t walk to your terminal and update your WordPress self-hosted blog NOW.
There is a new WordPress 3.0.2 update now available that plugs a number of security issues — though shockingly none of them have CVE numbers (yet).
Among the security fixes is one for a Cross Site Scripting (XSS) issue that could put users at risk when a plugin is deleted.
There is also a fix for what WordPress descibes as,a “moderate security issue where a malicious Author-level user could gain further access to the site.” That’s right, your users could possible get admin access to your site unless you update to 3.0.2
Beyond security updates, there is also a really small update to the readme file, to clarify the license under which WordPress is released.
“We cannot say that WordPress as a whole is GPLv2 (i.e. “GPLv2 only”),” the WordPress changelog states. “Go back to saying just GPL.”